This library
provides PHP functions to read MO files even when gettext is not
compiled in or when appropriate locale is not present on the system.

This issue was
discovered by auditing Nagvis project source code, however NagVis is
not impacted by the following issue.

NagVis is a visualization addon for the well known network
managment system Nagios.
NagVis can be used to visualize Nagios Data, e.g. to display IT
processes like a mail system or a network infrastructure.

The $string variable is not sufficiently
sanitizedbefore
to be submitted to eval()
function (which is dangerous) in select_string()
function causing the security issue.

III. VULNERABILITY DESCRIPTION

The
gettext_reader()
funtion try to test magic number that
need to match with .mo files :

$MAGIC1 =
"\x95\x04\x12\xde";

$MAGIC2 =
"\xde\x12\x04\x95";

If it seems correct
then we’ll continue.

We then extract
forms from .mo file’s header through get_plural_forms()
function and check them with a deprecated(since php 5.3.0 because it can be easily bypassed
by adding a Null Byte) eregi()regexp function in order to valid they match the following
pattern:

plural-forms:
([^\n]*)\n

(This regular expression matching have no effect on our payload)

Next step will be to sanitize the obtained expression string before
to practice the fatal eval() on this one.

Code snippet from the vulnerable function that execute eval() on the "sanitized" string :

snip…

$string = $this->get_plural_forms();

$string =
str_replace('nplurals',"\$total",$string);

$string = str_replace("n",$n,$string);

$string =
str_replace('plural',"\$plural",$string);

$total = 0;

$plural = 0;

eval("$string");
// eval called
…. launch my shell baby !

snip…

However, for example (but not only!) we can call system()
function with « sh » parameter in order to launch a /bin/sh
command on the targeted system and allowing us to gain an interactive
shell with application privileges on it.

A real scenario could be that a real attacker overwrites languages
files located in the /nagvis-1.8.5/share/frontend/nagvis-js/locale/
directory, in an internal repository, a Docker shared folder or any
other folder.

He now just have to wait or to execute the payload himself to obtain
his shell, that’s why this vulnerability is not so harmless !

Note :

Apart from that we could
imagine that the attacker transform the $expr variable to
obtain an interactive remote shell without eval() and with (maybe)
more privileges like this :